Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] What ports are used for NAT Traversal?

0

0

Article ID: KB3904 KB Last Updated: 14 Dec 2017Version: 8.0
Summary:
What ports are used for NAT-T?
Symptoms:

Environment:

  • NAT Traversal VPN tunnel
  • VPN using Pre-shared secret
When setting up an IPSec tunnel, the presence of a NAT device along the data path has no effect on Phase 1 and Phase 2 IKE negotiations, which always encapsulate IKE packets within User Datagram Protocol (UDP) segments. However, after the Phase 2 negotiations complete, performing NAT on the IPSec packets causes the tunnel to fail. Of the many reasons why NAT causes disruption to IPSec, one reason is that for the Encapsulating Security Protocol (ESP), NAT devices cannot discern the location of the Layer 4 header for port translation (because it is encrypted). For the Authentication Header (AH) protocol, NAT devices can modify the port number, but the authentication check, which includes the entire IPSec packet, fails.

NAT devices can create another problem if they are also IKE/IPSec-aware and attempt to process packets with the IKE port number of 500 or the IPSec protocol numbers 50 (for ESP) and 51 (for AH).

 


Symptoms & Errors:

  • What ports are used for NAT Traversal?
Solution:

To avoid such intermediary processing of IKE packets, the shifting (or “floating”) of UDP port numbers for IKE from 500 to 4500, as proposed in version 2 of following IETF drafts:

draft-ietf-ipsec-nat-t-ike-00.txt
draft-ietf-ipsec-udp-encaps-00.txt


To avoid intermediary processing of IPSec packets, both drafts 0 and 2 insert a UDP header between the outer IP header and the ESP or AH header, thereby changing the value in the Protocol field from 50 or 51(for ESP or AH respectively) to 17 (for UDP) with port 4500.  The current version of ScreenOS software supports NAT-T based on draft-ietf-ipsec-nat-t-ike-02.txt and draft-ietf-ipsec-udp-encaps-02.txt, as well as version 0 of these drafts.

In summary, the NAT device will use the following ports with NAT Traversal is enabled:

  • Encapsulated Security Protocol (ESP): IP Protocol 50;  UDP port 4500
  • Authentication Header (AH): IP Protocol 51 ; UDP port 4500
  • ISAKMP IKE Negotiations UDP port 500 -> UDP port 4500
Note: The source port used for IKE negotiations for devices behind NAT device will vary depending on if the gateway is the initiator or the responder.
 
 
Example:
The Juniper firewall behind a NAT device needs to initiate traffic.  In the diagram below, SSG5 is the initiator, while SSG140 is the responder. 

1
On the SSG140, "get ike cookie" will display the port actually used on the local firewall, remote firewall, and remote NAT device.
get ike cookie:

1097522f/0006, 10.123.0.1:1037->10.123.0.2:4500, PRESHR/grp2/3DES/SHA, xchg(4) (g1/grp-1/usr1)
resent-tmr 1025 lifetime 28800 lt-recv 28800 nxt_rekey 28782 cert-expire 0
responder, err cnt 0, send dir 1, cond 0x0
nat-traversal map:
keepalive frequency 5 sec
nat-t udp checksum enabled
local pri ip 10.123.0.2
local pri ike port 4500
local pub ip 0.0.0.0
local pub ike port 0
remote pri ip 10.123.123.2
remote pri ike port 4500
remote pub ip 10.123.0.1
remote pub ike port 1037
internal ip 0.0.0.0
internal port 0
natt proto 17
ike heartbeat : disabled
ike heartbeat last rcv time: 0
ike heartbeat last snd time: 0
XAUTH status: 0
DPD seq local 0, peer 0

 
 
In this case, SSG5 initiates the connection, and goes out as UDP port 4500.  The NAT device then communicates out as a random port. 
In this case, it is port 1037.
This is the output of "get ike cookie" from SSG5:
 
1097522f/0006, 10.123.123.2:4500->10.123.0.2:4500, PRESHR/grp2/3DES/SHA, xchg(4) (g1/grp-1/usr-1)
resent-tmr 1025 lifetime 28800 lt-recv 28800 nxt_rekey 26341 cert-expire 0
initiator, err cnt 0, send dir 1, cond 0x0
nat-traversal map:
keepalive frequency 5 sec
nat-t udp checksum enabled
local pri ip 10.123.123.2
local pri ike port 4500
local pub ip 0.0.0.0
local pub ike port 0
remote pri ip 10.123.0.2
remote pri ike port 4500
remote pub ip 10.123.0.2
remote pub ike port 4500
internal ip 0.0.0.0
internal port 0
natt proto 17
ike heartbeat : disabled
ike heartbeat last rcv time: 0
ike heartbeat last snd time: 0
XAUTH status: 0
DPD seq local 0, peer 0  


For additional explanations on NAT-Traversal, refer to page 257 of ScreenOS Concepts & Examples Guide - Virtual Private Networks.
Modification History:
2017-12-07: Article reviewed for accuracy. Minor grammatical change done. Article is correct and complete.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search